0

Possible Duplicate:
Best way to prevent SQL injection?

I know there's a lot of guides out there about this topic and I've read a lot about it but I wanted to ask someone directly and get confirmation about this.

Okay so to my questions. First of all, how often do you need to use mysql_real_escape_string.

Example, if I have a query with:

"SELECT * FROM tabel WHERE id = $_POST['id'] and email LIKE '%hotmail.com' and row = 2"

What exactly do I need to escape here? Is it enough with the $_POST or should I do it with all the variables in the query? (saferize(2), saferize(%hotmail.com))?

Another question I have is if this function is good for sanitizing?

function saferize($string) {
    if(get_magic_quotes_gpc() == true) { 
        $string = stripslashes($string);
    }
    $string = htmlspecialchars($string);
    if(strpos($string, '<br />')){
        $string = str_replace('&lt;br /&gt;', '<br />', $string);
    }
    return mysql_real_escape_string($string);
}

I am inserting <br /> directly into the database so i made an exeption for the htmlspecialchars($string) for that purpose. Whats the security regard on this?

Thanks for reply.

Community
  • 1
  • 1
oBo
  • 992
  • 2
  • 13
  • 28

1 Answers1

0

if the $_POST['id'] is an integer, u can cast it explicitly to an integer and use the result in the query

$id = (int)$_POST['id']
"SELECT * FROM tabel WHERE id = $id and email LIKE '%hotmail.com' and row = 2"

or use a PDO prepared statement

$stmt = $dbh->prepare("SELECT * FROM tabel WHERE id = ? and email LIKE '%hotmail.com' and row = 2");
if ($stmt->execute(array($_POST['id']))) {
  while ($row = $stmt->fetch()) {
    print_r($row);
  }
}
VuesomeDev
  • 4,095
  • 2
  • 34
  • 44